Cross-site Scripting (XSS) - Generic in bigbluebutton/bigbluebutton

Valid

Reported on

Dec 9th 2021


Description

Shared notes panel is vulnerable to XSS when rendering a new note, due to missing username sanitization.

Proof of Concept

  1. 1.Start a new web conference and share the link with other people
  2. 2.A malicious user joins the conference with the following username: <img%20src=#%20onerror=alert(document.cookie)>
  3. 3.As soon as the malicious user types on the "Shared notes" section (and the victim has the "Shared notes" section open) an alert popup is shown on the target user (in this case showing the document.cookie value ).

Impact

XSS vulnerabilities allow attackers to inject arbitrary javascript code to other users browser, leading to stealing user session cookies, defacing website, performing phishing and many others attacks.

Mitigation

User inputs should be always sanitized against such attacks to prevent attackers injecting malicious code. Is also important to perform output encoding in order to prevent unwanted code execution.

References

We are processing your report and will contact the bigbluebutton team within 24 hours. 6 months ago
We have contacted a member of the bigbluebutton team and are waiting to hear back 6 months ago
We have sent a follow up to the bigbluebutton team. We will try again in 7 days. 5 months ago
Anton Georgiev validated this vulnerability 5 months ago
lfama has been awarded the disclosure bounty
The fix bounty is now up for grabs
Anton Georgiev
5 months ago

Maintainer


The "fix" has been to switch the fork where we pull a plugin from. This "fix" has been released with versions 2.3.17 and 2.4.0 and I'd rather wait a day or so before confirming it fully resolved. It's not a glorious fix, it's a packaging change.

lfama
5 months ago

Researcher


Hi Anton,

thank you for the update. I've just verified that the issue has been resolved in the new release and the XSS payload is not triggered anymore. Could you please confirm the report as resolved?

Thanks! Luca

lfama
5 months ago

Researcher


Hi Anton,

any update?

Thanks! Luca

Anton Georgiev confirmed that a fix has been merged on 62040b 4 months ago
The fix bounty has been dropped
component.jsx#L1-L142 has been validated
to join this conversation